Closed VayneValerius closed 1 month ago
pdfjs-dist has a high level, arbitrary code injection vulnerability for versions <= 4.1.392. react-pdf is still using a 3.x.x version.
pdfjs-dist
I can see that the isEvalSupported option has been set to false in the 8.0.2 release, which stops the vun from being possible, but for ci pipelines that use a tool like docker scout, it will fail deployments regardless.
isEvalSupported
Update pdfjs-dist to 4.2.67
The alternative has already been implemented, which is fine for users who don't give a hoot about security.
No response
Duplicate of #1664
wojtekmaj
commented
1 month ago wojtekmaj
commented
1 month ago
Before you start - checklist
Description
pdfjs-disthas a high level, arbitrary code injection vulnerability for versions <= 4.1.392. react-pdf is still using a 3.x.x version.I can see that the
isEvalSupportedoption has been set to false in the 8.0.2 release, which stops the vun from being possible, but for ci pipelines that use a tool like docker scout, it will fail deployments regardless.Proposed solution
Update pdfjs-dist to 4.2.67
Alternatives
The alternative has already been implemented, which is fine for users who don't give a hoot about security.
Additional information
No response